Human Subjects, Third Parties, and the Law

When you put your cell phone in your pocket or bag this morning, did you consent to have all of your movements tracked and used for research? I don’t remember signing that consent form, do you? Did you also know information about every place you’ve been with your phone over the course of years could be obtained by law enforcement without a warrant in much of the country? It happens, a lot. Two carriers got nearly 125,000 requests for this data last year. No judicial oversight was involved because the police didn’t spy on you, the phone company did – and you said they could give your data to police without a warrant, remember? That fine print we had to agree to if we wanted to use our phones said something about lawful requests from law enforcement? You might assume “lawful” includes judicial oversight. But . . . no.

The Supreme Court will be hearing an important privacy case this week. Back in 1979 the court decided police didn’t have to get a warrant to see what numbers someone dialed if they thought that person was involved in criminal activity. The majority decision said people didn’t have a reasonable expectation of privacy, given the phone company kept records of who called who in order to do business. (Remember how expensive long distance calls were back then? They kept track!) This is the “third party doctrine” – if a third party collects data, and you consented to that party collecting it, no need to bother a judge.

There were two dissents in Smith v Maryland. The first ends with a simple statement of why metadata matters.

The numbers dialed from a private telephone - although certainly more prosaic than the conversation itself - are not without "content." Most private telephone subscribers may have their own numbers listed in a publicly distributed directory, but I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have called. This is not because such a list might in some sense be incriminating, but because it easily could reveal the identities of the persons and the places called, and thus reveal the most intimate details of a person's life.

The second dissent makes a relevant point about how this could go horribly wrong.

[U]nless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance. . . . Permitting governmental access to telephone records on less than probable cause may thus impede certain forms of political affiliation and journalistic endeavor that are the hallmark of a truly free society. Particularly given the Government's previous reliance on warrantless telephonic surveillance to trace reporters' sources and monitor protected political activity,I am unwilling to insulate use of pen registers from independent judicial review.

What those guys said. We have little choice but to use our phones. That should not mean we forfeit an expectation of privacy even if we gave it up to our phone company or our search engine or the app we use to stay in touch with family. It’s not unreasonable to expect that the government should not be able to literally retrace our steps without some court oversight.

As it happens, I recently read a story about how two economists were able to analyze family relationships affected by last year’s presidential election. They used voting data, information about political ad placement, and massive amounts of travel information, comparing how people in contested areas behaved during Thanksgiving 2015 and 2016. They concluded families, divided by politics, spent less time together or, in their words, “27 million person-hours of cross-partisan Thanksgiving discourse were lost in 2016 to ad-fueled partisan effects.” Among the data they used was information purchased from a company that sells geo-location data gathered from the cell phones of 10 million Americans providing what they call “truth-sets.” (Somebody, send these guys a philosopher, stat.) The website displays logos of customers, and while the examples seem to involve business uses (e.g. "understanding of each business's popularity, taxonomy, hours, etc."), the number of universities included is striking.

Did those ten million people agree to have their location information gathered and sold by this company? Nope. They signed a contracts with a third party. Did the economists get consent from their human subjects? What a silly question. It does not appear to have even crossed their minds.

I live in Minnesota, one of a handful of states that require police to get a warrant to use cell-phone location information. I also try to remember to keep location services turned off on my phone unless I need to get somewhere using a map. I shouldn’t have to choose where to live or how to safeguard my location information to have a measure of privacy.

I hope the Supreme Court reins in warrantless surveillance. I hope someday we acquire the political will to regulate corporate surveillance. I would like to think researchers, even when purchasing massive data sets to do interesting work, might give some thought to the ethics of using data about people who never knowingly gave consent for that use. I can hope, right?